├── IIsWebServerSetting.txt ├── IIsWebVirtualDirSetting.txt ├── README.md ├── backup-restore-iis.ps1 ├── configure-http-to-https-redirect.ps1 ├── list-backups-iis.ps1 ├── todo.md └── tune-ssl-cipher-suites.ps1 /IIsWebServerSetting.txt: -------------------------------------------------------------------------------- 1 | >>> IIsWebServerSetting Reference 2 | 3 | __GENUS : 2 4 | __CLASS : IIsWebServerSetting 5 | __SUPERCLASS : IIsSetting 6 | __DYNASTY : CIM_Setting 7 | __RELPATH : IIsWebServerSetting.Name="W3SVC/87257621" 8 | __PROPERTY_COUNT : 196 9 | __DERIVATION : {IIsSetting, CIM_Setting} 10 | __SERVER : SECURITY-01 11 | __NAMESPACE : root\MicrosoftIISv2 12 | __PATH : \\SECURITY-01\root\MicrosoftIISv2:IIsWebServer 13 | Setting.Name="W3SVC/87257621" 14 | AccessExecute : False 15 | AccessFlags : 1 16 | AccessNoPhysicalDir : False 17 | AccessNoRemoteExecute : False 18 | AccessNoRemoteRead : False 19 | AccessNoRemoteScript : False 20 | AccessNoRemoteWrite : False 21 | AccessRead : True 22 | AccessScript : False 23 | AccessSource : False 24 | AccessSSL : False 25 | AccessSSL128 : False 26 | AccessSSLFlags : 0 27 | AccessSSLMapCert : False 28 | AccessSSLNegotiateCert : False 29 | AccessSSLRequireCert : False 30 | AccessWrite : False 31 | AdminACLBin : 32 | AllowKeepAlive : True 33 | AllowPathInfoForScriptMappings : False 34 | AnonymousPasswordSync : True 35 | AnonymousUserName : IUSR_SECURITY-01 36 | AnonymousUserPass : 7cR$#T/tQD1!\D 37 | AppAllowClientDebug : False 38 | AppAllowDebugging : False 39 | AppFriendlyName : 40 | AppOopRecoverLimit : -1 41 | AppPoolId : DefaultAppPool 42 | AppWamClsid : 43 | AspAllowOutOfProcComponents : True 44 | AspAllowSessionState : True 45 | AspAppServiceFlags : 0 46 | AspBufferingLimit : 4194304 47 | AspBufferingOn : True 48 | AspCalcLineNumber : True 49 | AspCodepage : 0 50 | AspDiskTemplateCacheDirectory : %windir%\system32\inetsrv\ASP Compiled Templat 51 | es 52 | AspEnableApplicationRestart : True 53 | AspEnableAspHtmlFallback : False 54 | AspEnableChunkedEncoding : True 55 | AspEnableParentPaths : False 56 | AspEnableSxs : False 57 | AspEnableTracker : False 58 | AspEnableTypelibCache : True 59 | AspErrorsToNTLog : False 60 | AspExceptionCatchEnable : True 61 | AspExecuteInMTA : 0 62 | AspKeepSessionIDSecure : 0 63 | AspLCID : 2048 64 | AspLogErrorRequests : True 65 | AspMaxDiskTemplateCacheFiles : 2000 66 | AspMaxRequestEntityAllowed : 204800 67 | AspPartitionID : 68 | AspProcessorThreadMax : 25 69 | AspQueueConnectionTestTime : 3 70 | AspQueueTimeout : -1 71 | AspRequestQueueMax : 3000 72 | AspRunOnEndAnonymously : True 73 | AspScriptEngineCacheMax : 250 74 | AspScriptErrorMessage : An error occurred on the server when processin 75 | g the URL. Please contact the system administ 76 | rator. 77 | AspScriptErrorSentToBrowser : True 78 | AspScriptFileCacheSize : 500 79 | AspScriptLanguage : VBScript 80 | AspScriptTimeout : 90 81 | AspSessionMax : -1 82 | AspSessionTimeout : 20 83 | AspSxsName : 84 | AspTrackThreadingModel : False 85 | AspUsePartition : False 86 | AuthAdvNotifyDisable : True 87 | AuthAnonymous : False 88 | AuthBasic : False 89 | AuthChangeDisable : True 90 | AuthChangeUnsecure : False 91 | AuthFlags : 0 92 | AuthMD5 : False 93 | AuthNTLM : False 94 | AuthPassport : False 95 | AuthPersistence : 64 96 | AuthPersistSingleRequest : True 97 | AzEnable : False 98 | AzImpersonationLevel : 0 99 | AzScopeName : 100 | AzStoreName : 101 | CacheControlCustom : 102 | CacheControlMaxAge : 0 103 | CacheControlNoCache : False 104 | CacheISAPI : True 105 | Caption : 106 | CertCheckMode : 0 107 | CGITimeout : 300 108 | ClusterEnabled : False 109 | ConnectionTimeout : 120 110 | ContentIndexed : True 111 | CreateCGIWithNewConsole : False 112 | CreateProcessAsUser : True 113 | DefaultDoc : Default.htm,Default.asp,index.htm 114 | DefaultDocFooter : 115 | DefaultLogonDomain : 116 | Description : 117 | DirBrowseFlags : 1073741886 118 | DirBrowseShowDate : True 119 | DirBrowseShowExtension : True 120 | DirBrowseShowLongDate : True 121 | DirBrowseShowSize : True 122 | DirBrowseShowTime : True 123 | DisableSocketPooling : True 124 | DisableStaticFileCache : False 125 | DoDynamicCompression : False 126 | DontLog : False 127 | DoStaticCompression : False 128 | EnableDefaultDoc : True 129 | EnableDirBrowsing : False 130 | EnableDocFooter : False 131 | EnableReverseDns : False 132 | FrontPageWeb : False 133 | HttpCustomHeaders : {} 134 | HttpErrors : {System.Management.ManagementBaseObject, Syste 135 | m.Management.ManagementBaseObject, System.Mana 136 | gement.ManagementBaseObject, System.Management 137 | .ManagementBaseObject...} 138 | HttpExpires : D, 0x15180 139 | HttpPics : {} 140 | LogExtFileBytesRecv : False 141 | LogExtFileBytesSent : False 142 | LogExtFileClientIp : True 143 | LogExtFileComputerName : False 144 | LogExtFileCookie : False 145 | LogExtFileDate : True 146 | LogExtFileFlags : 2199519 147 | LogExtFileHost : False 148 | LogExtFileHttpStatus : True 149 | LogExtFileHttpSubStatus : True 150 | LogExtFileMethod : True 151 | LogExtFileProtocolVersion : False 152 | LogExtFileReferer : False 153 | LogExtFileServerIp : True 154 | LogExtFileServerPort : True 155 | LogExtFileSiteName : True 156 | LogExtFileTime : True 157 | LogExtFileTimeTaken : False 158 | LogExtFileUriQuery : True 159 | LogExtFileUriStem : True 160 | LogExtFileUserAgent : True 161 | LogExtFileUserName : True 162 | LogExtFileWin32Status : True 163 | LogFileDirectory : C:\WINDOWS\system32\LogFiles 164 | LogFileLocaltimeRollover : False 165 | LogFilePeriod : 1 166 | LogFileTruncateSize : 20971520 167 | LogOdbcDataSource : HTTPLOG 168 | LogOdbcPassword : sqllog 169 | LogOdbcTableName : InternetLog 170 | LogOdbcUserName : InternetAdmin 171 | LogonMethod : 3 172 | LogPluginClsid : {FF160663-DE82-11CF-BC0A-00AA006111E0} 173 | LogType : 1 174 | MaxBandwidth : -1 175 | MaxBandwidthBlocked : -1 176 | MaxConnections : -1 177 | MaxEndpointConnections : -1 178 | MaxRequestEntityAllowed : -1 179 | MimeMap : {System.Management.ManagementBaseObject} 180 | Name : W3SVC/87257621 181 | NTAuthenticationProviders : 182 | PassportRequireADMapping : 1 183 | PasswordCacheTTL : 600 184 | PasswordChangeFlags : 6 185 | PasswordExpirePrenotifyDays : 0 186 | PoolIdcTimeout : 0 187 | ProcessNTCRIfLoggedOn : True 188 | Realm : 189 | RedirectHeaders : {} 190 | RevocationFreshnessTime : 86400 191 | RevocationURLRetrievalTimeout : 0 192 | ScriptMaps : {System.Management.ManagementBaseObject, Syste 193 | m.Management.ManagementBaseObject, System.Mana 194 | gement.ManagementBaseObject, System.Management 195 | .ManagementBaseObject...} 196 | SecureBindings : {System.Management.ManagementBaseObject} 197 | ServerAutoStart : True 198 | ServerBindings : {www.test.com} 199 | ServerCommand : 1 200 | ServerComment : test 201 | ServerID : 202 | ServerListenBacklog : 40 203 | ServerListenTimeout : 120 204 | ServerSize : 1 205 | SetHostName : 206 | SettingID : 207 | ShutdownTimeLimit : 90 208 | SSIExecDisable : False 209 | SSLAlwaysNegoClientCert : False 210 | SslCtlIdentifier : 211 | SslCtlStoreName : 212 | SSLStoreName : 213 | TraceUriPrefix : {} 214 | UploadReadAheadSize : 49152 215 | UseDigestSSP : False 216 | UseHostName : 217 | WebDAVMaxAttributesPerElement : 32 218 | Win32Error : 0 219 | 220 | 221 | 222 | 223 | >>> SecureBinding Reference 224 | 225 | __GENUS : 2 226 | __CLASS : SecureBinding 227 | __SUPERCLASS : IIsStructuredDataClass 228 | __DYNASTY : IIsStructuredDataClass 229 | __RELPATH : SecureBinding.IP="",Port="443:" 230 | __PROPERTY_COUNT : 2 231 | __DERIVATION : {IIsStructuredDataClass} 232 | __SERVER : 233 | __NAMESPACE : 234 | __PATH : 235 | IP : 236 | Port : 443: 237 | 238 | 239 | >>> Bindings Reference 240 | 241 | __GENUS : 2 242 | __CLASS : ServerBinding 243 | __SUPERCLASS : IIsStructuredDataClass 244 | __DYNASTY : IIsStructuredDataClass 245 | __RELPATH : ServerBinding.Hostname="www.test.com",IP="",Port="80" 246 | __PROPERTY_COUNT : 3 247 | __DERIVATION : {IIsStructuredDataClass} 248 | __SERVER : 249 | __NAMESPACE : 250 | __PATH : 251 | Hostname : www.test.com 252 | IP : 253 | Port : 80 254 | 255 | __GENUS : 2 256 | __CLASS : ServerBinding 257 | __SUPERCLASS : IIsStructuredDataClass 258 | __DYNASTY : IIsStructuredDataClass 259 | __RELPATH : ServerBinding.Hostname="www.naterice.com",IP="",Port="555" 260 | __PROPERTY_COUNT : 3 261 | __DERIVATION : {IIsStructuredDataClass} 262 | __SERVER : 263 | __NAMESPACE : 264 | __PATH : 265 | Hostname : www.naterice.com 266 | IP : 267 | Port : 555 268 | -------------------------------------------------------------------------------- /IIsWebVirtualDirSetting.txt: -------------------------------------------------------------------------------- 1 | IIsWebVirtualDirSetting Reference 2 | 3 | __GENUS : 2 4 | __CLASS : IIsWebVirtualDirSetting 5 | __SUPERCLASS : IIsSetting 6 | __DYNASTY : CIM_Setting 7 | __RELPATH : IIsWebVirtualDirSetting.Name="W3SVC/1/ROOT" 8 | __PROPERTY_COUNT : 142 9 | __DERIVATION : {IIsSetting, CIM_Setting} 10 | __SERVER : SECURITY-01 11 | __NAMESPACE : root\MicrosoftIISv2 12 | __PATH : \\SECURITY-01\root\MicrosoftIISv2:IIsWebVirtual 13 | DirSetting.Name="W3SVC/1/ROOT" 14 | AccessExecute : False 15 | AccessFlags : 513 16 | AccessNoPhysicalDir : False 17 | AccessNoRemoteExecute : False 18 | AccessNoRemoteRead : False 19 | AccessNoRemoteScript : False 20 | AccessNoRemoteWrite : False 21 | AccessRead : True 22 | AccessScript : True 23 | AccessSource : False 24 | AccessSSL : False 25 | AccessSSL128 : False 26 | AccessSSLFlags : 0 27 | AccessSSLMapCert : False 28 | AccessSSLNegotiateCert : False 29 | AccessSSLRequireCert : False 30 | AccessWrite : False 31 | AdminACLBin : 32 | AnonymousPasswordSync : True 33 | AnonymousUserName : IUSR_SECURITY-01 34 | AnonymousUserPass : 7cR$#T/tQD1!\D 35 | AppAllowClientDebug : False 36 | AppAllowDebugging : False 37 | AppFriendlyName : Default Application 38 | AppOopRecoverLimit : -1 39 | AppPoolId : DefaultAppPool 40 | AppWamClsid : 41 | AspAllowOutOfProcComponents : True 42 | AspAllowSessionState : True 43 | AspAppServiceFlags : 0 44 | AspBufferingLimit : 4194304 45 | AspBufferingOn : True 46 | AspCalcLineNumber : True 47 | AspCodepage : 0 48 | AspDiskTemplateCacheDirectory : %windir%\system32\inetsrv\ASP Compiled Template 49 | s 50 | AspEnableApplicationRestart : True 51 | AspEnableAspHtmlFallback : False 52 | AspEnableChunkedEncoding : True 53 | AspEnableParentPaths : False 54 | AspEnableSxs : False 55 | AspEnableTracker : False 56 | AspEnableTypelibCache : True 57 | AspErrorsToNTLog : False 58 | AspExceptionCatchEnable : True 59 | AspExecuteInMTA : 0 60 | AspKeepSessionIDSecure : 0 61 | AspLCID : 2048 62 | AspLogErrorRequests : True 63 | AspMaxDiskTemplateCacheFiles : 2000 64 | AspMaxRequestEntityAllowed : 204800 65 | AspPartitionID : 66 | AspProcessorThreadMax : 25 67 | AspQueueConnectionTestTime : 3 68 | AspQueueTimeout : -1 69 | AspRequestQueueMax : 3000 70 | AspRunOnEndAnonymously : True 71 | AspScriptEngineCacheMax : 250 72 | AspScriptErrorMessage : An error occurred on the server when processing 73 | the URL. Please contact the system administra 74 | tor. 75 | AspScriptErrorSentToBrowser : True 76 | AspScriptFileCacheSize : 500 77 | AspScriptLanguage : VBScript 78 | AspScriptTimeout : 90 79 | AspSessionMax : -1 80 | AspSessionTimeout : 20 81 | AspSxsName : 82 | AspTrackThreadingModel : False 83 | AspUsePartition : False 84 | AuthAdvNotifyDisable : True 85 | AuthAnonymous : True 86 | AuthBasic : False 87 | AuthChangeDisable : True 88 | AuthChangeUnsecure : False 89 | AuthChangeURL : /iisadmpwd/achg.asp 90 | AuthExpiredUnsecureURL : /iisadmpwd/aexp3.asp 91 | AuthExpiredURL : /iisadmpwd/aexp.asp 92 | AuthFlags : 1 93 | AuthMD5 : False 94 | AuthNotifyPwdExpUnsecureURL : /iisadmpwd/anot3.asp 95 | AuthNotifyPwdExpURL : /iisadmpwd/anot.asp 96 | AuthNTLM : False 97 | AuthPassport : False 98 | AuthPersistence : 64 99 | AuthPersistSingleRequest : True 100 | AzEnable : False 101 | AzImpersonationLevel : 0 102 | AzScopeName : 103 | AzStoreName : 104 | CacheControlCustom : 105 | CacheControlMaxAge : 0 106 | CacheControlNoCache : False 107 | CacheISAPI : True 108 | Caption : 109 | CGITimeout : 300 110 | ContentIndexed : True 111 | CreateCGIWithNewConsole : False 112 | CreateProcessAsUser : True 113 | DefaultDoc : Default.htm,Default.asp,index.htm,iisstart.htm 114 | DefaultDocFooter : 115 | DefaultLogonDomain : 116 | Description : 117 | DirBrowseFlags : 1073741886 118 | DirBrowseShowDate : True 119 | DirBrowseShowExtension : True 120 | DirBrowseShowLongDate : True 121 | DirBrowseShowSize : True 122 | DirBrowseShowTime : True 123 | DisableStaticFileCache : False 124 | DoDynamicCompression : False 125 | DontLog : False 126 | DoStaticCompression : False 127 | EnableDefaultDoc : True 128 | EnableDirBrowsing : False 129 | EnableDocFooter : False 130 | EnableReverseDns : False 131 | FrontPageWeb : False 132 | HttpCustomHeaders : {} 133 | HttpErrors : {System.Management.ManagementBaseObject, System 134 | .Management.ManagementBaseObject, System.Manage 135 | ment.ManagementBaseObject, System.Management.Ma 136 | nagementBaseObject...} 137 | HttpExpires : D, 0x15180 138 | HttpPics : {} 139 | HttpRedirect : 140 | LogonMethod : 3 141 | MaxRequestEntityAllowed : -1 142 | MimeMap : {System.Management.ManagementBaseObject} 143 | Name : W3SVC/1/ROOT 144 | NTAuthenticationProviders : 145 | PassportRequireADMapping : 1 146 | PasswordChangeFlags : 6 147 | PasswordExpirePrenotifyDays : 0 148 | Path : c:\inetpub\wwwroot 149 | PoolIdcTimeout : 0 150 | Realm : 151 | RedirectHeaders : {} 152 | ScriptMaps : {System.Management.ManagementBaseObject, System 153 | .Management.ManagementBaseObject, System.Manage 154 | ment.ManagementBaseObject, System.Management.Ma 155 | nagementBaseObject...} 156 | SettingID : 157 | ShutdownTimeLimit : 90 158 | SSIExecDisable : False 159 | UNCPassword : 160 | UNCUserName : 161 | UploadReadAheadSize : 49152 162 | UseDigestSSP : False 163 | WebDAVMaxAttributesPerElement : 32 164 | Win32Error : 0 165 | Scope : System.Management.ManagementScope 166 | Options : System.Management.ObjectGetOptions 167 | ClassPath : \\SECURITY-01\root\MicrosoftIISv2:IIsWebVirtual 168 | DirSetting 169 | Properties : {AccessExecute, AccessFlags, AccessNoPhysicalDi 170 | r, AccessNoRemoteExecute...} 171 | SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...} 172 | Qualifiers : {dynamic, InstanceExists, InstanceName, Locale. 173 | ..} 174 | Site : 175 | Container : 176 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # letsencrypt-powershell 2 | This is an initiative to port the letsencrypt functionality to Windows via PowerShell 3 | 4 | You can read more about it here https://letsencrypt.org/ 5 | 6 | This is very early development. Assume nothing works. Please read the notes at 7 | the top of each script. If you wish to run any of these scripts please do so in 8 | a non-production environment. 9 | 10 | Thanks! -------------------------------------------------------------------------------- /backup-restore-iis.ps1: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # NAME: backup-restore-iis.ps1 3 | # AUTHOR: Nathan Rice, naterice.com 4 | # DATE: 2015/04/28 5 | # 6 | # KEYWORDS: letsencrypt 7 | # 8 | # COMMENTS: The purpose of this file is to create a backup, list 9 | # successful backups, and restore available backups for all 10 | # supported versions of Windows. This is a work in progress and 11 | # should not be considered complete. 12 | # 13 | # ------------------------------------------------------------------------ 14 | 15 | 16 | Function Check-WindowsVersion() { 17 | # Backup methods changed from Windows 2003 to Windows 2008+ 18 | # So using this to detect which version is in use. 19 | $OS = [Environment]::OSVersion 20 | If ($OS.Version.Major -ge 6) { 21 | # 2008+ share backup methods 22 | Return "2008"; 23 | } ElseIf ($OS.Version.Major -eq 5 -and $OS.Version.Minor -ge 1) { 24 | # XP and 2003 share backup methods 25 | Return "2003"; 26 | } Else { 27 | Return "Incompatible"; 28 | } 29 | } 30 | 31 | Function Check-IISIsInstalled() { 32 | # Simple check to see if IIS is installed. Piping to >$null 33 | # to suppress output and it's PS 2.0+ compatible. 34 | Try { 35 | Get-Service W3SVC -ErrorAction Stop >$null 2>&1; 36 | Return $True; 37 | } Catch { 38 | #$_.Exception.Message; 39 | Return $False; 40 | } 41 | } 42 | 43 | Function Check-WebScriptingTools(){ 44 | # If this is Windows 2008+ and IIS is installed, we need 45 | # scripting tools to manipulate it. 46 | # ToDo: add error handling to the install portion and 47 | # halt the script on failure. 48 | 49 | If (Check-WindowsVersion = "2008") { 50 | Import-Module servermanager; 51 | If (Check-IISIsInstalled) { 52 | If ((Get-WindowsFeature Web-Scripting-Tools).Installed) { 53 | Return $True; 54 | } Else { 55 | Add-WindowsFeature Web-Scripting-Tools; 56 | } 57 | } 58 | } 59 | } 60 | 61 | # IisBack.zip 62 | $Base64 = @" 63 | UEsDBBQAAAAIAAA4UjYoWXcrDhUAAAKJAAALAAAAaWlzYmFjay52YnPsXG1v6zQU/jwk/oNVBGzS 64 | 6NZdXsu40Nt1dxVbO9rtAoKpchuvDTdNQpxs67/nnNiu7Tp1WzYhhMgH7pL4POf4vNtx+fTDDz4l 65 | 7SRdZOF0lpP9yQG5CidZwpP7HJ5naZLRPEziOiGtKCLlKE4yxln2wII6UCPAuzfDSRamORkmRTZh 66 | 5DyMGJHv5JsenbMm6Xb5Gzp5X38Y8/L1hx/0U4Qnnac0CidhDg/gJsuSjAwYL+aM9NgTPEUk8XiS 67 | BAyI20nMc9IZDEb9H8m66ztybI582+l1Bq3L0Xmre3k76NgjGyWTqgt5XzHO6VQzvhwNH8N8Musx 68 | FrSy6aiUTQ4CsJp4S2J4zQnNpjCTOK/XkIcCaGeM5iwY3cAEDTlqqKAiJR83yAPLOCrn4xMyo5yM 69 | GYtJe9Bp3XTOEEoBgaLyJJNIWwMNOsOb/sBGOmMR212ks85lZ0UkQYA2l1g2EL5wRr8T0JIAR8sn 70 | 5CNTRNDZTahxFTI+P8IXpo6FWWzj4GXQCaf65OLjRhMmZTDqp0y4/oD9WYSgXsfG1xGjnBGeskl4 71 | vyA0JomiAcXcg0lIPmNL63NTQVdh3I3vE3SfFWQlGL4iNCfIJCenWqOvTRwchQ+V8mwkPw5IHKgH 72 | kt7GTvJOnBTT2TXN6JxXYSc5YeUQkuIYlgOMCdGPo0U/ZqDLSiu4SkziCP/DtCpRdkpysKwJ3E7m 73 | aQHc+uM/1gDfxnQcgQUSMmU5mcjxJBn/wSa566suShXUWPgvTJSOQeyKKHRwqmAyMVbjODG4nTgB 74 | jtUwUjwT7TLkuYtVjRbB2FUsbjuE0BUfrQPrJYqOsCeAM6lFIbhgkeMMirqdFFFA4gTMVeZGDKkQ 75 | iGk8AYe4x2hag5eeOIiAB9VGD6q0fXv2fjhJxesBs9O45Z8Zm8J0WIYy6ApZX+FQI2uhVyREaPRJ 76 | cPXYlmgeXIZjj/m30RIRKNUTFu8qZrvNhCVwpejXlPOfw3yWFPktd23sBvtRQbiokzJdFjyMp+TI 77 | 8uCfr7rwZ8wmrh+7ChED0ZmBjKRZ8hAGLKuoTEl+nhSxm3l1jQoSxuNPc9ePZaq8SZI3oaNDq27F 78 | xXwMGgw5CASBEU6tyKQ890ABTEulGxqBoYOFEIUTUNkMzAKwMZ2j+QM0kgd61fm+q83pUzgv5oAc 79 | JY8sIA+WxKaY3fiBRmEg4ar0JUdsxtClx4bRGGrCOC8bYJJkGVgWXewxydxafANemsqX0r9CFqDq 80 | Q0XrekGn1Gd1GLypUn2dODU/AdVnpcA1Uo1fnZuSjBQAdJSA2h6zMGcVChNNpE1tK13GTxNaM4O8 81 | FczD2Nv1/JoUZEJjjJmsiIUzQUzP0ZfGbEJRtAWMoRkrA4vGq/DOrEx4iiNg7lDBYZ4JMmCkXDJk 82 | S9g8W2Cw5wlG7X04LTJQgbcHx1yK/75lMctoRGZwT+ZuY84YjnRrFLrJImVqEUKOvieQdUoY4GzS 83 | C/OZKJX0wls9OLInsIFcHNkOeIBEU7BRoACH+XCwHbBRKnGwE1hF0TglwEXn8nokLXHcMJr2M8ax 84 | ImLr1pTxLCeIDIbK2qK5O5QtjOoaDmteNumJYARsiHmhvJjLFIwX5cQQdriIc/rUXM78tyNOToWj 85 | voabgpwWcBdjt+zFfKUwtWRAnpJTlZNe393dkaPTZVcL6Mt1wZ0X+nMD+nrZZDe9NF+aiygaFYy4 86 | l2EnL9ZXBpapHfNq67o7p5NZGLPlOD+2Y1D3+u2M3dMiypsiS/EFz9ncr7KvDZEtG1aITGFKQTKn 87 | Yfz6d2Ngknk5fOPY2700mjGHSZFlYHOC77yTaBwbLCxPMliocoiBijnW5Il/eRmYQWs6pnmpFIeX 88 | rIjIBuN4iPb1czhxtOS/9qFWR0XAeBnLHIoiCWhO/TwcF/JfWOE4y3OoPfyg7oV+tVl8nbvhktl+ 89 | Fw19vqOG7rNkrpqk/WXrwP08dtOQrftd9PXFFpNRJQovUdTA2HJGfvQvN6PLwiWuy5Wa4Ec3s9w5 90 | BFPAchpGLCAFlsmml9ZMN25v4CU184jTDvhpT8wE4XQAflIz9K2iLwjFnvB8jo1bIvwhp3nByWRG 91 | 4ylTnSKvYiHoLH0eja1tp6oKpBKY8u170H295sNPGztUjlptSOdpJPu6Wu3OB20qp/NU0vGm1IoA 92 | cDpPB0qMW9sXVefStfmP+Fg40e1PdC7E322I3AbHy8Q1mAoSALI95A6ePJBTuebslevJ1370Ci0A 93 | CFOwqlAitF5y+SCtqHalERyGcqHJ0ZIrC+Byu5B5OWzhwyB3OI1ZgGg6PuqkTWNAByMv/Bw2p/4w 94 | ztmUZYfkovv2Ar4JjN51BsNuv3dIksyP/Wojdq/zyxKvruPReu4zgpUfXWsKK3TiSbZI89X0obZJ 95 | mBd/s4LULlJAlKt7AK2krB3NBiwDC6RkDywm4f2y/qnNOw4x4OWx2W/0zpB0SrV3FMbIwo++WSV6 96 | gyVKJnIhJyeL+QYm5eew2XOgN8f0mi1MtwlCjnvVwZ0PvbG+GvvITqrIuMzMDdyqbFmbGpD70h9g 97 | v/M4C3SxH5MeexSAomConnBzxZAD15eM6u7S0xF6eLgOtLn18yG+XAnxc3Hl1t0S1hA5ULQZ/hri 98 | wltFxFND/CjPrhsyC/h4bFU5VKUwSoXK9ZDZ/fCbU8BqtfC6x1ZpvHtvZvBHygkTiZ0F8rsA9fPY 99 | QifoeEbyUo53WG5Kzgue+zlskxmLNI0W5UzktrPigiXcD79FWlTOrjXlVXxVMrQi5mrxRqauh1WL 100 | +nCfky3X8j8RKVMuCzdnzHKcJ2FKHCprH3iQd3WhMV8wnXmZOA6rl8erSyY3kXiQX6J19cJvEWli 101 | Hjr76MzjR9498fjwvvEskf3e70E9Of6bzt/PApu76/u4abHZ83HUer/XGx/a2/Xuhwv08s7usrDt 102 | qvdq1pJUb6r4Sb55RlJS0PYHKPcb1PJUkH0OrX/dGYzetNo/3l6Lw2TWC3nUCl+cWC/EyamS4pX1 103 | 4rI7vJGfZj43dx6OZAIG7mCoOF8KIHgD4Hnr9vJm1GtdAaxEsDc/FMXV2UgSrbg+UHxycS4uBFG8 104 | D1ULeihTq4tkruuA0kQ6N5Bcwj4Q/Tzo3mihG0RdXsJh611ndN4dSHWhhrcjvGr9oiSVhN/AZRBe 105 | hvMwr6a77ACNlvT4mGym6/VHV+AD8nZYqubr4+OvjhvHr0q6DuReISzXH9u6vXety+6ZltTg+9kr 106 | HCdOJ9IQsiysxd6XD87COUnMcymwOhMHN8Q7CAARFIf45y2Xf6h+bDkIa0/5BuWy3mI+X4bCId7h 107 | ac0oL/+U5UYMpK1syg/xEJy4H/fVGmXJphQtZuIkKJfilx+XhevL9R95oFGBIbcUH30bE5ucBN7i 108 | nZ6JfGIKK86EysnBTUXg4Gs9ZQ2jRYcH5zTiTMjXjTnGYkhzZh6+wS3NpMjTIsdJQvuBT+YU11Og 109 | iyHLlVEATZwF7ZfHdfZrq8dtagcffgDtMaikLmo4OX1NjsnNjIGSCVw/C2PXO5NZQirPEFWN8x8G 110 | sil+KsJ8v+IMLUjWiQNo3q0Z1QUVTPQi4Zj1FUwrxWO+pSFc3YkaRmbmYS0Bazmzo661x7F21ZtJ 111 | u0l77vkz//iNZ83INkTA59l2qlCptJdtLPkdYMYm73GX6pGVxzbGDD05K2Kxvzbhgi97YuUhNEYD 112 | ksDg5WPQhc2qBBRPOvE0jGUQXYUxnkjSi2DjRGm5NBNdPBpUe9PyZG07KeKcnJLGGuP6T7OCCHvm 113 | aPcQyd9QspPYMIv8JnqpJm82vi04/FHAH6qHaqbNxt23v4m2rdk8/na5nQM3d9/KZRO+qJFPyAhl 114 | cq+aaDBxFLY0+K8AxKatOQZ2stdvPsDf4/cl86DJmo2adAxUDAaZbTbQGmf2hPadKYICSgP1kiVO 115 | l+PdDJ1GmwaGiNf18r/tJGAOQ9BvfwBl82bU6fVv316MWoO3Q4mhq60+gazPWZeZl+p1vjwkJch2 116 | 9QxFtJWDdCLOTOnsU1r6jUqTD+PrDIrTvffI1yFpZRld7EuNiRFYvUDbO8gmPFPLIP7a1a3Rurad 117 | 3kbJmEZ4gwflwUdZYFjpLORpRBf42h9K/R8tNvgNtkMnpVVBjRZPpQPGBdaQRbjP0qac4XA9sfJJ 118 | javP8HZjKFuIMBZVGdzXHmF0GaszZrkQYB+4gdSrDAtewe6Wb2AGA3ZnpVKHw061Ll6WatAGtppu 119 | lb3ILDZzDO59q+PConuwErlVoej5vYCH0OPyeG3t5JrEjBb7qd1Imqu+lZF7Tph0uRUiqNgqnezJ 120 | gNEnECtntFcdP5tnIOVyQ6kuDqvu13S1qK0zmuyePW5joTgAKIXGqNU0G+fC3m1AQ85gufSFM8RJ 121 | am4SVpe3438ZzcnCulZtemnk0ZxGcWe1AbJmLr9r28zJXee0h3m2v1Y21S7UDg52VY7qZdZ7lbW8 122 | uskKmK7f1G4+ki3SfzkhqXtfYrJ2ndDmz0pLeyonGaeZnVntbchIe9oBn51J/FnEbxf7h3c7m1So 123 | 4LmW/Y+kG7Fv+A9mHDvc5VLn/2jXW8kvGOxii/dfG+v9DJd+u4WI34ruj2l3dgGhs38gOewY2m7k 124 | 4NbA/3GjvrS8XNTgd6jnxYyaBS5qcfuzx56snTj9ExBci69Mybe56f89uyB56U0w/F9D4K4GzZnx 125 | 0z4AUk/1N24V3qs7ttXz8f+osFpWDbpOxAf14cKKL/Xa+oq+r4ccVIns7kzoAVYw4sLmS/3Emajv 126 | 96ZOXMMayQPl/TGn63l4v4Ma9U7xUUpCbmy/jYscP76G+HPaOumqnxuCwIe4q8z/au/oepuGgc/8 127 | i4gHSMVATbpSKlEkQJqYND7EHnje2sAqRhOl6QT8euzZ7vl2tuMjW/hQuoe19vnOOd+dLznf5ULm 128 | 7wr5WF/KeIl6rixPbagIUKsjBA9BRsnLzSpiX1BPaEYe2fJnMvO1gPJm5+BN1cabs+1X/VDTXCvw 129 | JXyVwBMGF4Ev6CGReWwp9xjTii/zeLNu1kLCfsoj7LtGoGl0tEetal18K5vC5IgJPTNxQ7KNSUwv 130 | EYa0JWqp1BAwQqiHLtgeiixTWW6h9oQYamkwsrUKqWzGT4Fgq4ErUybqrS6skGpDZ4dKSZD1wLob 131 | tnYJoIpu8ZxkTbSeRXdk1P6eIQKe5b17Nnbl66hLc6EWmBAWtc9iHHK31CHvVMCD8TFnZ5tdvVFh 132 | 36Qp9wnKVV3Kw8HSOPhWVY4PHeOQpN5/VnHzVzpu7voQRBQVfcLdMuR0d+4YlI6oJSK5O5BrGwtc 133 | 5T7wSAw5h9ykI7HDjuOfciY7YwFXLEY84wDPGcDZmAOccYBzFnDFAp9wgA9ZwLyJTDnAXnGKHD/r 134 | OJ4jRRlHivIxB1hJkbbPO3GGCNkwZcAZlgwnx0XBdrBjKMctErbKWND5X2D1BqsHqaEcWM5SZ884 135 | sDzMVc6CnjCg5xxYzjzyMQe2yjjQvHn4+REnBlkn45Jzriz3G1MIsXCsKU4ciwWuGJccyPiKBa44 136 | s/v/TepgUiHXjAXMxF3lHPA5C5g3lTlzKj1bNJo4xpit36ZBJIlh0iCzi38NNIkrErbK/rDFuVuL 137 | M1gcyDHjwPIwV3nvSkuz3aJg87FHZSGMxVFYCc9XV5qEFgHZi3MwqGrPgkwz/2Ig50SI2x/X4ofx 138 | LeBHu81SPu2/pUf4MrHJKlwNjQLN0eXZly20CGQasR2Ic9fGh34cQ4HKuapXRSlR6Bpz2F9tN3R0 139 | XQE6j6y/Kb7b8cKDRP6wklVHgBdzOFk446UiVtUkZlFEMzkgIYqD1mfnKv0eV/w2AdnGXgGa5aBq 140 | vcg+GeVKZR6pgV88PHn70JxL8UV826O+EK41GYDj8bT1oAQt6Ro3hCQmkUnASa8ALotnHnx3LR83 141 | o9O3JzmgPsI67NaXq33iNKikUdBk4cw9NTJhqbwlExgBfH1fuzJg/ZN7LZO6X+0r0F+UK9VjLc4T 142 | 1S1j1/u4rdNYmUkQs3UH4j17FZav1mLY/OE+sYdPSB3zFoKkijimxSA1HYdJhUpVs0YGGcKxCpQA 143 | Y1I39RugQbWh7fY3hw910TQ/kkpYJtgTU3Tax53MPsI6IJUmfO4e849Socn3lBAlFj51CzTpSHPQ 144 | FgXoyak5YnicFh2/usbYcjtfHJMw3P9YqOLpwQ3ZZAvCUMfyj5XPB4vd5vhBJS6m59fhFIXL3eM7 145 | d/+6YwcMZCjv4NkNnl130aHek8HodZ90f7v/NO7DcZrOujkiftTTvM0nC790A7DzJU7zuFdpCzsa 146 | ROJ69DQGT8PtZYCg9OZmaHrd/Ax0MDLSyWg/TDk4FIBXMYupooM/MfgTSM26OxMKnd+XQNQcSh2r 147 | as5XAnaRofw/8Cr4zxWCYtD/Dj/s8Eaw+9rg8cL/3u5upyxEbu4oy6F1I6cXf/1dvfVWdxx9a8xv 148 | GLm6bjsQ/3G74PTxZlV8h5bP63rbnBQC8VVRnxSdXQa6zf2lnoO9EhF6P7gNg9vQXWxAt4wmSsuj 149 | tbFMPl2sLwur2gm4F3ZBUPAx1AflwkPr0vI+rNFgVcwUvPYFbzNwqSQZ3AO28Fc8paOBd4ITjGIv 150 | LvmRa0QEpweh0Sq/9G89HimiKaMInIiUhzH2giEJw9ymLKPvaH+QnFZnyyKdTJPHidgXUgIyGgkg 151 | 1+vaneUINboM0OGBgBG/1D0w6fuLW/rcD3EU9PDounRaQrRD77bJ4rrrtKhF0mv6dr1K0VadHSSH 152 | QnpI+/QgyV3tM9kOwqW2cklE/PMSmXuQZZmvY4LJII9CktNXbRpSda1yoe6Lvwe0W+G9Oj8pN1/k 153 | d1fBOO1rCOx7eQATBAOUc6IAjRwaj3CEjZOBlFU/kW2hmDLowVOhUuBxWvQUjI7siUuuwHXsuwUF 154 | 3YmZ62IMKC18fWSmdlKWlX3LISBMZXgBfZ0nLtPEV6V8U/XF2ZV6zYd+4515p7sYHrQP1DbQN73j 155 | Ta2bJ46NId8Rp28FLur94Fi33FPWQf8CJ+x4K3qE7i1N101Zs26KjjcNRkBNtIF+4S5FjnDTCnhP 156 | icCGqTxPxi0YpxEY3axKFoYMukulLiqAEdcwcAMapB266405f0Fus/lUBQIeSeBP3FpoFiLFQ2pi 157 | zuzSWipgMeE20NY+WVx1Le2fsBB+C/tyu/yk9xvjPordQ+zYL4RtnsiyEn6Q54vkcJa8r7FbEEQ5 158 | fdaK8umhQ5rZsv0Onxn9BVBLAQI/ABQAAAAIAAA4UjYoWXcrDhUAAAKJAAALACQAAAAAAAAAIAAA 159 | AAAAAABpaXNiYWNrLnZicwoAIAAAAAAAAQAYAADguFBUU8cBrqwss+yB0AGurCyz7IHQAVBLBQYA 160 | AAAAAQABAF0AAAA3FQAAAAA= 161 | "@ 162 | $IisBack = [System.Convert]::FromBase64String($Base64); 163 | 164 | Function CheckForIisBackVbs() { 165 | $WinDir = $env:windir; 166 | If (Test-Path "$WinDir\System32\iisback.vbs") { 167 | Return "$WinDir\System32\iisback.vbs"; 168 | } ElseIf (Test-Path ((Get-Location).Path + "\iisback.vbs")) { 169 | # Current running directory 170 | Return (Get-Location).Path + "\iisback.vbs"; 171 | } Else { 172 | # If iisback.vbs doesn't exist, create it. 173 | Try { 174 | Set-Content -Path "iisback.zip" -Value $IisBack -Encoding Byte; 175 | $Shell = New-Object -Com Shell.Application; 176 | $ZipFile = $Shell.NameSpace((Get-Location).Path + "\iisback.zip"); 177 | $Shell.NameSpace((Get-Location).Path).CopyHere($ZipFile.Items()); 178 | Remove-Item iisback.zip; 179 | Return (Get-Location).Path + "\iisback.vbs"; 180 | } Catch { 181 | Write-Error "Failed to find IisBack.vbs and failed to create it."; 182 | Return ""; 183 | } 184 | } 185 | } 186 | 187 | Function BackupIISConfig() { 188 | $WinDir = $env:windir; 189 | $TimeStamp = get-date -uFormat "%Y%m%d%H%M%S"; 190 | 191 | # Sanity checks 192 | $WindowsVersion = Check-WindowsVersion 193 | If ($WindowsVersion -eq "Incompatible") { 194 | Write-Error "This version of Windows is incompatible."; 195 | Return $False; 196 | } ElseIf (!(Check-IISIsInstalled)) { 197 | Write-Error "IIS was not detected."; 198 | Return $False; 199 | } 200 | Check-WebScriptingTools 201 | 202 | # If the Backup-WebConfiguration command exists we'll use that 203 | # as it's the preferred way. 204 | If (Get-Command Backup-WebConfiguration -CommandType Cmdlet -errorAction SilentlyContinue) { 205 | Try { 206 | Backup-WebConfiguration -Name "letsencrypt-$TimeStamp" -ErrorAction Stop; 207 | } Catch { 208 | Write-Error $_.Exception.Message; 209 | Return $False; 210 | } 211 | 212 | If (!(Test-Path "$WinDir\System32\inetsrv\backup\letsencrypt-$TimeStamp")) { 213 | Write-Error "Backup directory does not exist. IIS backup seems to have failed."; 214 | Return $False; 215 | } Else { 216 | #Backup success! 217 | Return $True; 218 | } 219 | } ElseIf ($WindowsVersion = "2003") { 220 | #If the Backup-WebConfiguration command doesn't exist, we'll 221 | #use iisback.vbs. If it doesn't exist, we'll create it from 222 | #the embedded base64. 223 | $IisBackPath = CheckForIisBackVbs; 224 | If ($IisBackPath.Length -eq 0){Return $False} 225 | 226 | $BeforeBackups = @(.\list-backups-iis.ps1); 227 | 228 | $Backup = "$WinDir\System32\cscript.exe $IisBackPath /backup /b letsencrypt$TimeStamp"; 229 | #Write-Host $Backup; 230 | $BackupResults = ((iex $Backup) | Out-String); 231 | 232 | $AfterBackups = @(.\list-backups-iis.ps1); 233 | 234 | If ($BeforeBackups.Count -eq $AfterBackups.Count) { 235 | #If backups are exactly the same, backups 236 | #failed. 237 | Write-Error "Backups failed: `n $BackupResults"; 238 | Return $False; 239 | } Else { 240 | #Success 241 | Return $True; 242 | } 243 | } Else { 244 | Write-Error "Something unexpected went wrong!"; 245 | Return $False; 246 | } 247 | } 248 | 249 | #BackupIISConfig; 250 | 251 | Function RestoreIISConfig { 252 | param([string]$BackupName) 253 | 254 | $WinDir = $env:windir; 255 | $BackupList = @(.\list-backups-iis.ps1); 256 | 257 | #Sanity checks 258 | $WindowsVersion = Check-WindowsVersion 259 | If ($WindowsVersion -eq "Incompatible") { 260 | Write-Error "This version of Windows is incompatible."; 261 | Return $False; 262 | } ElseIf (!(Check-IISIsInstalled)) { 263 | Write-Error "IIS was not detected."; 264 | Return $False; 265 | } ElseIf ($BackupName.Length -eq 0) { 266 | Write-Error "Backup name is a required parameter."; 267 | Return $False; 268 | } ElseIf (($BackupList -eq $BackupName).Count -eq 0) { 269 | Write-Error "Backup set does not contain the backup!"; 270 | Return $False; 271 | } 272 | 273 | If (Get-Command Backup-WebConfiguration -CommandType Cmdlet -errorAction SilentlyContinue) { 274 | Try { 275 | Restore-WebConfiguration -Name $BackupName; 276 | Return $True; 277 | } Catch { 278 | Write-Error $_.Exception.GetType().FullName; 279 | Write-Error $_.Exception.Message; 280 | Return $False; 281 | } 282 | } ElseIf ($WindowsVersion -eq "2003") { 283 | $IisBackPath = CheckForIisBackVbs; 284 | If ($IisBackPath.Length -eq 0){Return $False} 285 | 286 | $Restore = "$WinDir\System32\cscript.exe $IisBackPath /restore /b $BackupName"; 287 | $RestoreResults = ((iex $Restore) | Out-String); 288 | 289 | If ($RestoreResults -like "*HIGHEST_VERSION has been RESTORED*") { 290 | #Success 291 | Return $True; 292 | } Else { 293 | Write-Error "Restore failed: `n $RestoreResults"; 294 | Return $False; 295 | } 296 | } Else { 297 | Write-Error "Something unexpected went wrong!"; 298 | Return $False; 299 | } 300 | } 301 | 302 | #RestoreIISConfig letsencrypt20150428142348; 303 | 304 | Function RestoreMostRecent (){ 305 | $MostRecentBackup = .\list-backups-iis.ps1 | Sort-Object -Property Date -descending | Where-Object {$_.Name -like "letsencrypt*"} | Select-Object -First 1; 306 | 307 | RestoreIISConfig $MostRecentBackup.Name; 308 | } 309 | 310 | #RestoreMostRecent -------------------------------------------------------------------------------- /configure-http-to-https-redirect.ps1: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # NAME: configure-http-to-https-redirect.ps1 3 | # AUTHOR: Nathan Rice, naterice.com 4 | # DATE: 2015/04/30 5 | # 6 | # KEYWORDS: letsencrypt 7 | # 8 | # COMMENTS: This file will force http to https redirection for Windows 9 | # 2003+ IIS 10 | # 11 | # 12 | # TODO: Configure HttpError property per site 13 | # Detect if SNI is installed. 14 | # Support IPv6? 15 | # Error handling 16 | # 17 | # REF: http://www.jppinto.com/2009/01/automatically-redirect-http-requests-to-https-on-iis-6/ 18 | # 19 | # ------------------------------------------------------------------------ 20 | 21 | $4034Page = "403-4.htm"; 22 | 23 | Function Check-IISIsInstalled() { 24 | # Simple check to see if IIS is installed. Piping to >$null 25 | # to suppress output and it's PS 2.0+ compatible. 26 | Try { 27 | Get-Service W3SVC -ErrorAction Stop >$null 2>&1; 28 | Return $True; 29 | } Catch { 30 | #$_.Exception.Message; 31 | Return $False; 32 | } 33 | } 34 | 35 | Function Check-WindowsVersion() { 36 | # Backup methods changed from Windows 2003 to Windows 2008+ 37 | # So using this to detect which version is in use. 38 | $OS = [Environment]::OSVersion 39 | If ($OS.Version.Major -ge 6) { 40 | # 2008+ share backup methods 41 | Return "2008"; 42 | } ElseIf ($OS.Version.Major -eq 5 -and $OS.Version.Minor -ge 1) { 43 | # XP and 2003 share backup methods 44 | Return "2003"; 45 | } Else { 46 | Return "Incompatible"; 47 | } 48 | } 49 | 50 | Function Check-WebScriptingTools(){ 51 | # If this is Windows 2008+ and IIS is installed, we need 52 | # scripting tools to manipulate it. 53 | 54 | If (Check-WindowsVersion -eq "2008") { 55 | Import-Module servermanager; 56 | If (Check-IISIsInstalled) { 57 | If ((Get-WindowsFeature Web-Scripting-Tools).Installed) { 58 | Return $True; 59 | } Else { 60 | Add-WindowsFeature Web-Scripting-Tools; 61 | } 62 | } 63 | } 64 | } 65 | 66 | 67 | # ServerState codes 68 | Function Get-State($State){ 69 | Switch($State){ 70 | 1 {Return "Starting"} 71 | 2 {Return "Started"} 72 | 3 {Return "Stopping"} 73 | 4 {Return "Stopped"} 74 | 5 {Return "Pausing"} 75 | 6 {Return "Paused"} 76 | 7 {Return "Continuing"} 77 | default {"Error"} 78 | } 79 | } 80 | 81 | Function Get-WebsiteObject() { 82 | # trying to mirror the 2008 object properties 83 | $objWebsite = New-Module -AsCustomObject -ScriptBlock { 84 | [string]$Name=$null; 85 | [int]$ID=$null; 86 | [string]$State=$null; 87 | [string]$PhysicalPath=$null; 88 | [object]$Bindings=$null; 89 | 90 | Export-ModuleMember -Variable * -Function *} 91 | 92 | Return $objWebsite; 93 | } 94 | 95 | Function Get-BindingObject() { 96 | # Returns a binding object 97 | $objBinding = New-Module -AsCustomObject -ScriptBlock { 98 | [string]$Name=$null; 99 | [string]$IP=$null; 100 | [int]$Port=$null; 101 | [string]$Type=$null; 102 | 103 | Export-ModuleMember -Variable * -Function *} 104 | 105 | Return $objBinding; 106 | } 107 | 108 | Function Get-IIS6Websites() { 109 | # Sanity checks 110 | $WindowsVersion = Check-WindowsVersion 111 | If ($WindowsVersion -eq "Incompatible") { 112 | Write-Error "This version of Windows is incompatible."; 113 | Return $False; 114 | } ElseIf (!(Check-IISIsInstalled)) { 115 | Write-Error "IIS was not detected."; 116 | Return $False; 117 | } 118 | Check-WebScriptingTools 119 | 120 | $IISWMIServerSetting = Get-WmiObject -namespace "root/MicrosoftIISv2" -Class IISWebServerSetting; 121 | $IISWMIVirtualDirSetting = Get-WmiObject -namespace "root/MicrosoftIISv2" -Class IIsWebVirtualDirSetting; 122 | $IISWMIWebServer = Get-WmiObject -namespace "root/MicrosoftIISv2" -Class IIsWebServer; 123 | 124 | $Sites = @() 125 | ForEach ($Site In $IISWMIServerSetting) { 126 | $SiteObj = Get-WebsiteObject; 127 | 128 | $Bindings = @(); 129 | 130 | # Secure Bindings 131 | ForEach ($SecureBinding In $Site.SecureBindings) { 132 | If ($SecureBinding.Port.Length -gt 0) { 133 | $NewBinding = Get-BindingObject; 134 | 135 | $NewBinding.IP = $SecureBinding.IP; 136 | $NewBinding.Port = $SecureBinding.Port -replace ":", ""; 137 | $NewBinding.Type = "https"; 138 | 139 | $Bindings += $NewBinding; 140 | } 141 | }; 142 | 143 | # Normal Bindings 144 | ForEach ($Binding In $Site.ServerBindings) { 145 | If ($SecureBinding.Port.Length -gt 0) { 146 | $NewBinding = Get-BindingObject; 147 | 148 | $NewBinding.Name = $Binding.Hostname; 149 | $NewBinding.IP = $Binding.IP; 150 | $NewBinding.Port = $Binding.Port; 151 | $NewBinding.Type = "http"; 152 | 153 | $Bindings += $NewBinding; 154 | } 155 | }; 156 | 157 | 158 | $SiteObj.ID = $Site.Name -replace "W3SVC/", ""; 159 | $SiteObj.Name = $Site.ServerComment; 160 | $SiteObj.Bindings = $Bindings; 161 | $SiteObj.PhysicalPath = ($IISWMIVirtualDirSetting | Where-Object {$_.Name -like "W3SVC/" + $SiteObj.ID + "/root"}).Path; 162 | $SiteObj.State = Get-State ($IISWMIWebServer | Where-Object {$_.Name -like "W3SVC/" + $SiteObj.ID}).ServerState; 163 | 164 | $Sites += $SiteObj; 165 | } 166 | 167 | Return $Sites; 168 | } 169 | 170 | Function Get-ActiveIPs(){ 171 | # We need a list of IP's assigned to this machine so we 172 | # know if they are available to bind SSL to. 173 | $ActiveIPs = @(); 174 | $Nics = (Get-WmiObject Win32_NetworkAdapterConfiguration) | Where-Object {$_.IPAddress.Length -gt 0} 175 | ForEach ($ActiveNic In $Nics) { 176 | ForEach ($IP In $ActiveNic.IPAddress) { 177 | $ActiveIPs += $IP; 178 | } 179 | } 180 | 181 | Return $ActiveIPs; 182 | } 183 | 184 | Function Set-RequireSSL($SiteID) { 185 | Set-WMIInstance -Path "\\localhost\root\MicrosoftIISv2:IIsWebVirtualDirSetting='W3SVC/$SiteID/root'" -argument @{AccessSSLFlags="264"} | Out-Null; 186 | } 187 | 188 | Function ConfigureSSLRedirect($SiteID) { 189 | # Since there is no native way to redirect in IIS 6, I was thinking I could URL redirect 190 | # HTTP requests to HTTPS based on the 403 error page that gets returned, via JavaScript. 191 | # this method is obviously going to fail on browsers that do not have JavaScript enabled, 192 | # maybe someone else can think of a better way. 193 | 194 | # ToDo: Need to read/write HttpErrors and disable HTTPS requirement on redirect page. 195 | $RedirectPage = "" 196 | 197 | If (Get-Command Get-Website -CommandType Cmdlet -errorAction SilentlyContinue) { 198 | $WebSites = Get-Website; 199 | } Else { 200 | $WebSites = Get-IIS6Websites; 201 | } 202 | 203 | If ($WebSites.Count -eq 0) { 204 | Write-Error "IIS interrogation Returned 0 websites."; 205 | Exit; 206 | } 207 | 208 | # Compatibility with the IIS6 custom object... 209 | $JustSiteIds = @(); ForEach ($WebSite In $WebSites) { $JustSiteIds += $WebSite.ID } 210 | 211 | If ($JustSiteIds -NotContains $SiteID) { 212 | Write-Error "Website ID not found after interrogating IIS."; 213 | Exit; 214 | } 215 | 216 | ForEach ($WebSite In $WebSites) { 217 | If ($WebSite.ID -eq $SiteID) { 218 | If (!(Test-Path "$($WebSite.PhysicalPath)\$4034Page")) { 219 | # If the redirect page doesn't exist, create it. 220 | Try { 221 | $RedirectPage | Out-File "$($WebSite.PhysicalPath)\$4034Page"; 222 | } Catch { 223 | Write-Error "Failed to create 403.4 redirect page at path: $($WebSite.PhysicalPath)\$4034Page"; 224 | } 225 | } 226 | } 227 | } 228 | 229 | # This doesn't work yet... 230 | # Now we will cycle through each site and set the 403.4 231 | # page to use the custom 403.4 redirect page. 232 | $IISWMIVirtualDirSetting = Get-WmiObject -namespace "root/MicrosoftIISv2" -Class IIsWebVirtualDirSetting 233 | ForEach ($Site In $IISWMIVirtualDirSetting) { 234 | $HttpErrorCode = $Site.HttpErrorCode; 235 | $HttpErrorSubCode = $Site.HttpErrorSubCode; 236 | $HttpErrors = $Site.HttpErrors; 237 | $SitePath = $Site.Path; 238 | 239 | ForEach ($HttpError In $HttpErrors) { 240 | If (($HttpError).HttpErrorCode -eq "403" -and ($HttpError).HttpErrorSubCode -eq "4") { 241 | Write-Output $HttpError; 242 | 243 | ($HttpError).HandlerLocation = "$SitePath\$4034Page"; 244 | } 245 | } 246 | } 247 | 248 | 249 | } 250 | 251 | #MultiString Array 252 | #[string[]]$NewHttpErrors = @() 253 | 254 | #Set-RequireSSL 87257621 255 | 256 | 257 | 258 | 259 | 260 | -------------------------------------------------------------------------------- /list-backups-iis.ps1: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # NAME: list-backups-iis.ps1 3 | # AUTHOR: Nathan Rice, naterice.com 4 | # DATE: 2015/04/28 5 | # 6 | # KEYWORDS: letsencrypt 7 | # 8 | # COMMENTS: This file will list backups for IIS on Windows 2003+ machines. 9 | # 10 | # TODO: 11 | # 12 | # ------------------------------------------------------------------------ 13 | 14 | Function Get-BackupObject() { 15 | #ScriptBlocks don't seem to work in PS 2.0 16 | #Need to rework this... 17 | $objBackup = New-Module -AsCustomObject -ScriptBlock { 18 | [string]$Name=$null 19 | [System.Nullable``1[[System.DateTime]]]$Date=$null 20 | Function Age { 21 | Write-Output ($Date-(Get-Date)).ToString() 22 | } 23 | Export-ModuleMember -Variable * -Function *} 24 | 25 | Return $objBackup 26 | } 27 | 28 | Function ListBackups(){ 29 | $objBackups = @() 30 | 31 | If (Get-Command Get-WebConfigurationBackup -CommandType Cmdlet -errorAction SilentlyContinue) { 32 | #2008+ Backups 33 | ForEach ($Backup In Get-WebConfigurationBackup) { 34 | $objBackup = Get-BackupObject 35 | $objBackup.Name = $Backup.Name; 36 | $objBackup.Date = [datetime]$Backup.CreationDate; 37 | 38 | $objBackups += $objBackup; 39 | } 40 | 41 | Return $objBackups; 42 | } Else { 43 | #2003 Backups 44 | Try { 45 | $IISComputer = Get-WmiObject -Namespace "root/MicrosoftIISv2" -Class "IISComputer"; 46 | } Catch { 47 | Write-Error "There was an error initializing the IIS WMI object."; 48 | return $False; 49 | } 50 | $BackupIndex = 0; 51 | While ($True) { 52 | Try { 53 | $BackupObj = $IISComputer.EnumBackups("",$BackupIndex); 54 | $BackupLocation = $BackupObj.BackupLocation; 55 | $BackupDate = $BackupObj.BackupDateTimeOut; 56 | 57 | $objBackup = Get-BackupObject 58 | $objBackup.Name = $BackupLocation.Trim(); 59 | 60 | #TODO: We are parsing the date from the string. Not sure if this will be problematic for 61 | #other geographic locations or not. Further testing is probably in order. 62 | $objBackup.Date = [datetime]::ParseExact($BackupDate.Substring(0,$BackupDate.IndexOf(".")),"yyyyMMddHHmmss",[System.Globalization.CultureInfo]::InvariantCulture); 63 | 64 | $objBackups += $objBackup; 65 | 66 | $BackupIndex++; 67 | } Catch { 68 | Break; 69 | } 70 | } 71 | 72 | Return $objBackups; 73 | } 74 | } 75 | 76 | ListBackups -------------------------------------------------------------------------------- /todo.md: -------------------------------------------------------------------------------- 1 | ###TODO: 2 | - Figuring out how to support various client security enhancements like 3 | 1. ~~tuning cipher suites~~ 4 | 2. enabling HTTP -> HTTPS redirection -> WIP: configure-http-to-https-redirect.ps1 5 | 3. ~~enabling OCSP pinning~~ 6 | On by default in IIS 7+ according to this, (IIS 6 Unsupported): 7 | https://technet.microsoft.com/en-us/library/hh826044%28v=ws.10%29.aspx 8 | 9 | 4. setting HTTP headers (either universal or user-agent dependent) 10 | 11 | - ~~Figuring out how to support "rollback" of IIS configuration changes.~~ 12 | 13 | [~~Metabase Backup in 03~~](https://support.microsoft.com/en-us/kb/324277) 14 | 15 | [~~Restoring IIS Configurations Using Iisback.vbs~~](https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7429a26d-45f0-41fe-bf45-a6e1d3be7ce1.mspx?mfr=true) 16 | 17 | [~~Listing IIS Backup Configurations Using Iisback.vbs~~](https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/05001ec3-be42-431a-bfe8-08c865564037.mspx?mfr=true) 18 | 19 | -------------------------------------------------------------------------------- /tune-ssl-cipher-suites.ps1: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # NAME: tune-ssl-cipher-suites.ps1 3 | # AUTHOR: Nathan Rice, naterice.com 4 | # DATE: 2015/04/30 5 | # 6 | # KEYWORDS: letsencrypt 7 | # 8 | # COMMENTS: This file will set IIS to secure protocols/ciphers 9 | # Windows 2003+ machines. Requires a restart. 10 | # 11 | # TODO: Test with desktop versions of IIS 12 | # 13 | # REF: https://www.nartac.com/Products/IISCrypto/FAQ.aspx 14 | # https://www.nartac.com/blog/post/2013/04/19/IIS-Crypto-Explained.aspx 15 | # http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx 16 | # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx 17 | # 18 | # ------------------------------------------------------------------------ 19 | 20 | Function Check-WindowsVersion() { 21 | #Supported Ciphers/Protocols vary between versions. 22 | $OS = [Environment]::OSVersion 23 | If ($OS.Version.Major -ge 6 -and $OS.Version.Minor -ge 1) { 24 | #2008 R2+ 25 | Return "2008R2"; 26 | } ElseIf ($OS.Version.Major -ge 6 -and $OS.Version.Minor -eq 0) { 27 | Return "2008"; 28 | } ElseIf ($OS.Version.Major -eq 5 -and $OS.Version.Minor -ge 1) { 29 | #2003/XP/2003R2 30 | Return "2003"; 31 | } Else { 32 | Return "Incompatible"; 33 | } 34 | } 35 | 36 | Function TuneSSLCiphers() { 37 | #This will fail if the user doesn't have rights, 38 | #possibly we should check for admin rights here. 39 | 40 | $WindowsVersion = Check-WindowsVersion 41 | 42 | #Disable insecure protocols 43 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null 44 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null 45 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null 46 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null 47 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null 48 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null 49 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null 50 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null 51 | 52 | #Enable TLS 53 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null 54 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null 55 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null 56 | 57 | If ($WindowsVersion -eq "2008R2") { 58 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null 59 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null 60 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null 61 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null 62 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null 63 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null 64 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null 65 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null 66 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null 67 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null 68 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force | Out-Null 69 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null 70 | } 71 | 72 | $insecureCiphers = @( 73 | 'DES 56/56','NULL','RC2 128/128','RC2 40/128','RC2 56/128','RC4 40/128','RC4 56/128','RC4 64/128','RC4 128/128' 74 | ) 75 | 76 | ForEach ($insecureCipher In $insecureCiphers) { 77 | $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher) 78 | $key.SetValue('Enabled', 0, 'DWord') 79 | $key.close() 80 | } 81 | 82 | $secureCiphers = @( 83 | 'AES 256/256','AES 128/128','Triple DES 168/168' 84 | ) 85 | ForEach ($secureCipher In $secureCiphers) { 86 | $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher) 87 | New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null 88 | $key.close() 89 | } 90 | 91 | #Set hashes... 92 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null 93 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null 94 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -Force | Out-Null 95 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null 96 | 97 | # Set KeyExchangeAlgorithms configuration... 98 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -Force | Out-Null 99 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null 100 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -Force | Out-Null 101 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null 102 | 103 | If ($WindowsVersion -eq "2008" -or $WindowsVersion -eq "2008R2") { 104 | # Set secure order, mitigates BEAST, not supported in 2003... 105 | $cipherSuitesOrder = @( 106 | 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521', 107 | 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384', 108 | 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256', 109 | 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521', 110 | 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384', 111 | 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256', 112 | 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521', 113 | 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521', 114 | 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384', 115 | 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256', 116 | 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384', 117 | 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256', 118 | 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521', 119 | 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384', 120 | 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521', 121 | 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384', 122 | 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256', 123 | 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521', 124 | 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384', 125 | 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521', 126 | 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384', 127 | 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256', 128 | 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521', 129 | 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384', 130 | 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256', 131 | 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521', 132 | 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384', 133 | 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256', 134 | 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256', 135 | 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA', 136 | 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256', 137 | 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA', 138 | 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA', 139 | 'TLS_RSA_WITH_AES_256_CBC_SHA256', 140 | 'TLS_RSA_WITH_AES_256_CBC_SHA', 141 | 'TLS_RSA_WITH_AES_128_CBC_SHA256', 142 | 'TLS_RSA_WITH_AES_128_CBC_SHA', 143 | 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' 144 | ) 145 | $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder) 146 | New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null 147 | } 148 | } 149 | 150 | TuneSSLCiphers --------------------------------------------------------------------------------